CVE-2025-59046
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ninofiliu | interactive-git-checkout | 1.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the npm package 'interactive-git-checkout' is a command injection flaw. The tool takes a branch name input from the user and passes it directly to the 'git checkout' command using Node.js's exec() function without properly validating or sanitizing the input. This allows an attacker to inject malicious commands that get executed on the system.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary commands on the system where the 'interactive-git-checkout' tool is used. This can lead to full system compromise, including unauthorized access, data modification, or denial of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the `interactive-git-checkout` package to a version later than 1.1.4 where the issue is fixed (commit 8dd832dd302af287a61611f4f85e157cd1c6bb41). Avoid using vulnerable versions and ensure that any usage of this tool does not process untrusted input without validation.